[ISN] Zone-H.org statement about the announced defacement challenge

From: InfoSec News (isnat_private)
Date: Thu Jul 03 2003 - 01:16:06 PDT

  • Next message: InfoSec News: "[ISN] Wireless Hunters on the Prowl"

    http://www.zone-h.org/en/news/read/id=2986/
    
    SyS64738 - G00db0y
    07/02/2003
    
    Zone-H.org statement about the announced "defacement challenge" We at
    Zone-H have been informed about the oncoming "defacement challenge", a
    defacer contest that should happen July 6th in which defacers are
    challenged to deface as many as 6.000 in the shortest time as
    possible.
    
    It is quite clear, judging by the sharp decrease of the defacement
    notifications occoured during the last days, that the crackers aren't
    at the beach but they are rather rooting possible targets without
    defacing them, so to be ready with a lot of ready-to-be-defaced
    targets to be used on the contest day.
    
    Many news have been written about this contest, many of them they were
    reporting serious alerts about possible Internet service disruption.  
    Those who wrote or reported such alert are obviously not aware about
    how a defacement is usually done.
    
    Those who have a "trained eye" like Zone-H, when analizing the text
    reported on the defacement-challenge website
    (www.defacers-challenge.com) understood immediately that being the
    "rules" stating that there will not be any difference when counting a
    single defacement (single IP) or a mass-defacement (many domain names
    on the same IP) and the given time frame will be only six hours, what
    is mostly going to happen is that a lot of web hosting companies will
    be hit, instead than single servers belonging to different companies.
    
    Due to this, we don't forecast any possible disruption in the Internet
    service as very little traffic will be generated.
    
    In fact, a mass-defacement (even of several thousands domain names) is
    usually conducted opening a SINGLE connection to the attacked server.  
    Once obtained either root/admin priviledges or webserver priviledges,
    a special defacement tool (maybe a perl script) is usually uploaded.
    
    This tool reads from the webserver configuration files like httpd.conf
    and automatically substitutes all the main pages (index.html etc) of
    the hosted websites with the defaced one, doing the job of defacing
    thousands of websites in a matter of seconds.
    
    Judging by the "rumors", we at Zone-H are forecasting an amount of
    attacks starting from anywhere around 20.000 and up.
    
    As usual, Zone-H wants to render a service to the community so here is
    our advices for the sysadmins:
    
    Defacers are usually looking for easy targets, mass defacers in a
    hurry (as they'll be on July 6th) are looking for even easier targets.  
    All the webserver administrators must :
    
    - download and apply all the possible official patches released by the 
      software producers
    
    - shut down all the unnecessary modules 
    
    - close all the unnecessary ports
    
    - download one of the many vulnerability scanners and run a security 
      check on their own system
    
    Administrators managing their own private server shouldn't be
    concerned more than usual, while administrators who are managing
    servers of web-hosting companies should be VERY MUCH concerned.
    
    It is unlikely that any server will be hacked July 6th. Most of the
    servers that will be attacked that day are most likely conquered by
    crackers a few days before the contest.
    
    Due to this, the fact that you downloaded and installed the patches
    and shut down the unnecessary services is not enough. In fact it is
    very possible that a backdoor/rootkit has been installed by the
    attacker to prevent sysadmins to ban future access to their servers
    because of patching.
    
    Considering this, we advice all the sysadmins to :
    
    - check for any freshly added user in the userlist (shadow file, sam
      file etc.)
    
    - check for any suspicious connection on the open ports.
    
    - run a trojan/backdoor checking program.
    
    - look for any suspicious shell program 
    
    We also want to remind that the most recently exploited
    vulnerabilities used by defacers are in the following
    packages/services:
    
    - Openssl
    
    - Samba
    
    - Webdav
    
    - Frontpage extension misconfiguration
    
    - Aix ftpd
    
    - Solaris telnetd
    
    - Sendmail
    
    - Wuftpd
    
    - Proftpd
    
    - Phpnuke (not for massdefacement but still a ever present one)
    
    - OmniBack II
    
    - Cpanel
    
    We invite all the IT security online magazine to report this article
    so to better inform sysadmins about possible countermeasures.
    
    SyS64738 - G00db0y www.zone-h.org admins
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 03:40:23 PDT